Introducing the EU's new cyber security obligations for businesses

The Cyber Solidarity Act (Solidarity Act) has taken another step towards becoming a reality. It was early December when the European Parliament's Industry, Research and Energy Committee adopted its draft report on the act, and shortly afterward the representatives of the Member States reached a consensus on the text.

Through testing entities in crucial sectors to see how they can better prepare, setting up incident response services, and providing mutual assistance to states affected by cybersecurity incidents, the Solidarity Act focuses on ensuring EU readiness to deal with cybersecurity incidents.

In recent years, European legislation has greatly influenced the debate on cybersecurity. With its cybersecurity strategy, the EU has issued numerous new legal acts aimed at enhancing cybersecurity across the European Union. It can be difficult for companies to understand their compliance obligations in the complex web of new regulations, which may not be self-explanatory. As part of this article, we categorise the EU Commission's overall strategy, how the new laws relate to each other, and what is regulated in each.

1. How does the EU plan to achieve its goals?

In addition to physical threats, cyberspace is increasingly becoming a source of threats to companies and government organizations. In parallel, digital infrastructure and connectivity are becoming increasingly important in all aspects of life. Legislation focuses on both physical infrastructure protection (e.g. CER-Directive) and cyber threat protection. In December 2020, the European Commission presented its new cybersecurity strategy. Based on four basic principles, it aims to achieve a higher level of protection:

• Prevent

• Detect

• Respond

• Deter

There is a particular focus on increased cooperation and information exchange between the member states. It is common for more than one member state to be affected by cyber threats due to the fact that they cannot be stopped by national borders. As a result, centralized reporting systems and cross-sector security standards are being established in order to create a comprehensive picture of the situation. Risk-based thinking is incorporated into the strategy. Products, services, or activities with a higher level of risk are subject to more extensive and stringent obligations. Legal acts also apply both to their scope of application and to the specific legal acts themselves (for example, the NIS 2 Directive applies to organisations whose systemic relevance makes them particularly worthy of protection). Technical and organisational measures (such as a risk management system) are used in the strategy to address both the hardware and software security of products as well as the company's overall security.

2.  Which legal acts are there?

These legal acts implement the Commission's strategy in detail:

• NIS-2 (Directive EU 2022/2555): NIS-2 aims to increase the cyber resilience of critical infrastructure and entities classified as ‘important’ or ‘essential’ that operate in sectors that are particularly worthy of protection.

• Cybersecurity Act (Regulation EU 2019/881): The Cybersecurity Act creates a standardised certification framework for ICT products and strengthens the European Union Agency for Cybersecurity (ENISA).

• Cyber Resilience Act (Regulation EU 2024/2847): The Cyber Resilience Act establishes horizontal security regulations for products with digital elements (e.g. Internet of Things).

• Cyber Solidarity Act (Regulation EU 2025/38): The Cyber Solidarity Act aims to improve cross-border defence against cyber-attacks by establishing warning, emergency and verification systems.

• Digital Operational Resilience Act ‘DORA’ (Regulation 2022/2554): DORA is intended to increase resilience in the financial sector by imposing increased security requirements on financial entities and also their ICT service providers.

3. How is regulation implemented?

NIS-2: The directive entered into force in January 2023, but it needs to be transposed into national law before it becomes directly applicable. Many member states are still struggling with transposition, despite the deadline expiring on 17 October 2024.

It aims to ensure a high level of cybersecurity in sectors that are particularly important. The CER Directive (EU 2022/2557) aims to ensure the physical security of critical entities. The directive outlines cybersecurity measures (e.g. risk management systems), registration and reporting of security incidents, and supervisory measures (e.g. on-site inspections). Members also cooperate across the EU in reporting cyber threats and defending against them, as well as exchanging information. There has been a considerable expansion of addressees here. In the past, only critical infrastructure was covered by these obligations, but now companies in relevant sectors (energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space) are also covered. Besides post/courier services, waste management, production, manufacturing, digital providers, and research, other critical sectors are also covered. A company's turnover and employee count are included in the criteria for classifying it as important or essential. In some instances, however, the provisions apply regardless of the size of the organization (e.g., providers of public electronic communication networks). Although national implementation of the directive has stalled, companies should already check if they fall within its scope and determine what security measures they must take to comply.

Cybersecurity Act:
Since 28 June 2021, the Regulation has been directly and fully applicable in all member states. By harmonizing the certification process for information and communication technology (ICT) products, services, and processes, the Cybersecurity Act strengthens cybersecurity in the Union. The levels of security are classified into 'low', 'medium', and 'high' according to different criteria. Assessment criteria may include unauthorised access to stored data, security through default settings, or documentation of data access. Additionally, ENISA's mandate has been strengthened with a permanent one. With regard to member states and Union bodies, it provides comprehensive coordination, support, and advisory services.

Cyber Resilience Act:
Regulations have been in force since 10 December 2024. As of 11 December 2027, the main obligations are directly applicable. The Cyber Resilience Act focuses primarily on product security on the horizontal level. The General Product Safety Regulation (EU 2023/988) includes specific provisions on cybersecurity in addition to the general provisions on product safety. Product manufacturers, importers, and retailers who sell digital products are subject to these obligations. A growing number of products (e.g. Internet of Things) embed software, creating security gaps. Embedded systems, software, and hardware are all covered. Plan, design, develop, maintain, and update (including updates) of a product must take into account security requirements along the entire value chain. A recall and reporting requirement is also in place. It follows a risk-based approach and imposes additional obligations on products that are classified as 'important' or 'critical'. For open source software (OSS) and certain products (e.g. medical devices), there are exceptions.

Cyber Solidarity Act:
On 15 January 2025, the regulation was published in the Official Gazette and will take effect on 4 February 2025. Cyber Solidarity Act aims to prevent and defend against cyber attacks across borders. This will be accomplished by creating EU-wide infrastructures for incident detection, response, and management. This is based on three systems:

• European Cybersecurity Alert System: a Europe-wide network of voluntarily participating national and cross-border cyber hubs for the detection, analysis and data processing of cyber threats and the prevention of security incidents.

• Cyber Emergency Mechanism: A system to reinforce the Union's resilience to cyber threats, in particular through readiness tests, measures to support incident response, assistance support and the establishment of a cybersecurity reserve.

• European cybersecurity incident review mechanism: At the request of the Commission and with the agreement of the affected member state, ENISA can carry out a review and assessment of cyber threats, known exploitable vulnerabilities and containment measures in relation to a specific serious cybersecurity incident and prepare a report. This report may include recommendations for improving cyber defence.

DORA:
Since 16 January 2023, the Regulation has been directly applicable. For the financial sector, DORA establishes specific security regulations. Financial organizations are required to manage ICT risks, manage ICT incidents, conduct security testing, manage ICT third-party relationships (e.g. contracts) and share information. Financial companies also fall within the scope of the regulation if they provide ICT services. Supervisory authorities conduct special monitoring of critical ICT service providers. It is the responsibility of management bodies of companies to implement these obligations in this context.

DORA is a sector-specific law that has significant implications for ICT service providers, but it is not directly part of the general cybersecurity strategy. It should be noted, however, that in addition to the general cybersecurity legislation, further sector-specific regulations may also apply (for example, Implementing Regulation EU 2015/1998 for aviation security and Implementing Regulation EU 2022/1426 for fully automated vehicles).

Need some guidance?

Following the guidelines of ISO 27001, receiving training and working with an auditor such as Temple to ensure that the gaps are addressed, and your processes are sound is the best way to ensure that you are best prepared to help make you and your business secure.

Email Temple on enquiries@templeqms.com to arrange a chat about your training and ISO 27001 implementation for your business.